- From:
- Mikhail <mp39590@gmail.com>
- Subject:
- gotd: unveil in PROFILE builds
- To:
- gameoftrees@openbsd.org
- Date:
- Mon, 1 May 2023 21:25:50 +0300
Download raw body.
Thread
gotd: unveil in PROFILE builds
Download raw body.
gotd: unveil in PROFILE builds
apply_unveil_none() hides whole file system and it makes getpwuid fail
in PROFILE builds
diff /home/misha/work/got
commit - c000aa350eac5ac329beb278a513e5f978d2a463
path + /home/misha/work/got
blob - 23fb7de78a4d49528a35ce6f683badab359d83bc
file + gotd/gotd.c
--- gotd/gotd.c
+++ gotd/gotd.c
@@ -1667,6 +1667,7 @@ static void
fatal("unveil");
}
+#ifndef PROFILE
static void
apply_unveil_none(void)
{
@@ -1676,6 +1677,7 @@ apply_unveil_none(void)
if (unveil(NULL, NULL) == -1)
fatal("unveil");
}
+#endif
static void
apply_unveil_selfexec(void)
@@ -1841,12 +1843,12 @@ main(int argc, char **argv)
#ifndef PROFILE
if (pledge("stdio sendfd unix unveil", NULL) == -1)
err(1, "pledge");
-#endif
/*
* Ensure that AF_UNIX bind(2) cannot be used with any other
* sockets by revoking all filesystem access via unveil(2).
*/
apply_unveil_none();
+#endif
listen_main(title, fd, gotd.connection_limits,
gotd.nconnection_limits);
@@ -1856,7 +1858,6 @@ main(int argc, char **argv)
#ifndef PROFILE
if (pledge("stdio getpw recvfd unix unveil", NULL) == -1)
err(1, "pledge");
-#endif
/*
* We need the "unix" pledge promise for getpeername(2) only.
* Ensure that AF_UNIX bind(2) cannot be used by revoking all
@@ -1864,6 +1865,7 @@ main(int argc, char **argv)
* files will still work since "getpw" bypasses unveil(2).
*/
apply_unveil_none();
+#endif
auth_main(title, &gotd.repos, repo_path);
/* NOTREACHED */
gotd: unveil in PROFILE builds